It seems "static" keys are coming from SkeLoaderBlock in order to survive across reboots.
Main question is: where the keys is stored in the computer? especially when there is no TPM?
Bonus question: why don't protect other versions than enterprise/business? 
-
-
Prikaži ovu nit
-
How can you benefit of it ? 1. Activate Credential Guard (
)
2. It protects as-is current credentials in LSASS (sekurlsa::logonpasswords) and domain_password in the credential vault.
3. Use the VSM flag when importing P12/PFX or use the "Virtual Iso" key propertyPrikaži ovu nit -
Hardware is better (real HSM, SmartCard, real TPM...), but it's definitely a good move for security of end users.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Hi Benjamin, can I as admin see the MachineBoundCertificate? I have realized it is a self signed cert with the computer name in the CN. Afterwards the MachineBoundCertificate is used to do a PKInit TGT as the computer account. The pub key is in AD in msds-keycrededentiallink.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.